Dragos OT Cybersecurity “Year in Review” Reports Rise in Geopolitically Driven Attacks, Ransomware, and Threat Groups
Posted: Wednesday, Feb 21

i 3 Table of Contents

Dragos OT Cybersecurity “Year in Review” Reports Rise in Geopolitically Driven Attacks, Ransomware, and Threat Groups

Dragos Inc., the global leader in cybersecurity for operational technology (OT) environments, today released its sixth annual Dragos OT Cybersecurity Year in Review report, the most comprehensive report on cyber threats facing industrial organisations. The report named the emergence of three new threat groups, including VOLTZITE linked to Volt Typhoon, and found that ransomware continued to be the most reported cyber threat among industrial organisations with a nearly 50% increase in reported incidents. 2023 also saw the first time a hacktivist group achieved Stage 2 of the ICS Cyber Kill Chain.

 

Increased Ransomware Activity 2023

Increased Ransomware Activity 2023

“OT cyber threats reached a tipping point in 2023,” said Robert M. Lee, Co-founder and CEO of Dragos. “Industrial and critical infrastructure has been moving away from highly customised facilities to ones that—for good economic and productivity reasons—share the same industrial devices, technologies, and facility designs across sites and sectors. Unfortunately, adversaries are now leveraging these homogenous infrastructures to scale attacks. They also target weaknesses in environments that pushed digital transformation without adequate cybersecurity measures. These factors contributed to an environment in 2023 in which organisations were challenged with a range of threats, including increasingly sophisticated state actors, hacktivists praying on pervasive security weaknesses, and a growing barrage of ransomware attacks.”
“There were positive developments for OT cybersecurity too,” continued Lee. “We saw vendors, governments, and the community collaborate to enable a unified, risk-based response to threats, as was the case with the ControlLogix vulnerabilities disclosed by Rockwell Automation. We observed that more devices and protocols are incorporating authentication. And we at Dragos experienced triple the number of organisations conducting tabletop exercises, including a 350% increase at the board and executive level, to test and strengthen their OT security strategies.”

Ransomware By Sector - Global

Ransomware By Sector – Global

 

Details of the 2023 Year in Review

  • Dragos identified three new OT Threat Groups – VOLTZITE, GANANITE, and LAURIONITE. With these additions, Dragos analysts now track 21 Threat Groups worldwide that have been observed as being engaged in OT operations in 2023.
    • VOLTZITE targets electric power generation, transmission and distribution and has been observed targeting research, technology, defence industrial bases, satellite services, telecommunications, and educational organisations. The group overlaps with Volt Typhoon, a group that the U.S. Government has publicly linked to the People’s Republic of China. The group’s threat activities include living off the land (LOTL) techniques, prolonged surveillance, and data gathering aligned with Volt Typhoon’s assessed objectives of reconnaissance and gaining geopolitical advantage in the Asia-Pacific region. They have traditionally targeted US-based facilities, but also have been seen targeting organisations in Africa and Southeast Asia. (For more on VOLTZITE, see Dragos’s February 20 Intel Brief.)
    • GANANITE targets critical infrastructure and government entities in the Commonwealth of Independent States and Central Asian nations. The group leverages publicly available proof of concept (POC) exploits for internet-exposed endpoints and focuses on espionage and data theft.
    • LAURIONITE targets and exploits Oracle E-Business Suite iSupplier web services and assets across aviation, automotive, and manufacturing industries. The group utilises a combination of open-source offensive security tooling and public proof of concepts to aid in their exploitation of common vulnerabilities.
  • Geopolitical conflicts drove threat activity with regional and global kinetic events overlapping with OT cybersecurity threats. The Ukraine-Russia conflict prompted more mature threat groups, such as ELECTRUM, to increase activity, while tensions between China and Taiwan contributed to increased targeted cyber espionage attacks against industrial organisations in the Asia-Pacific region and the United States. ​
  • Hacktivists for the first time achieved Stage 2 of the ICS Cyber Kill Chain, when CyberAv3ngers attacked programmable logic controllers (PLCs) used by water utilities across North America and Europe with an anti-Israel message. While hacktivist groups typically conduct distributed denial of service (DDoS) attacks with minimal impact, this attack demonstrated the ability to disrupt OT systems by using unsophisticated methods with weak security controls. Other active hacktivist groups included CyberArmyofRussia_Reborn, NoName057(16), Anonymous Sudan, and Team Insane Pakistan.
  • Ransomware remains the number one attack in the industrial sector increasing 50% from 2022. Lockbit caused 25% of total industrial ransomware attacks, with ALPHV and BlackBasta accounting for 9% each. Manufacturing continues to be the primary target of ransomware and accounted for 71% of all ransomware attacks. The majority of ransomware attacks impacted organisations in North America with 44% of incidents, followed by Europe at 32%. Dragos tracked 50 ransomware variants in 2023, a 28% increase over last year.
  • The number of vulnerabilities that require authentication to exploit is rising, pointing to a positive trend for OT defenders. In 2023, 34% of CVEs required some authentication compared to 25% of CVEs in 2020. On the other hand, of the 2010 vulnerabilities impacting industrial environments disclosed last year, 14% contained erroneous information for prioritising risks in ICS/OT.
  • Front Line Perspectives: Based on data gathered from annual customer service engagements conducted by Dragos’s cybersecurity experts in the field across the range of industrial sectors, the top challenges industrial organisations need to address are:
    • Lack of Sufficient Security Controls: 28% of service engagements involved issues with improper network segmentation or improperly configured firewalls.
    • Improper Network Segmentation: Approximately 70% of OT-related incidents originated from within the IT environment.
    • Lack of Separate IT & OT User Management: 17% of organisations had a shared domain architecture between their IT and OT systems, the most common method of lateral movement and privilege escalation.
    • External Connections to the ICS Environment: Dragos observed four threat groups exploiting public-facing devices and external services and issued findings related to externally facing networks such as the internet in 20% of engagement reports.

YIR Report and Resources

The 2023 Dragos OT Cybersecurity Year in Review is an annual overview and analysis of OT-focused global threat activities, vulnerabilities, and industry insights and trends. The full report, and the accompanying executive summary document, can be downloaded here: https://www.dragos.com/year-in-review

Robert M. Lee
Robert M. Lee is a prominent figure in the cybersecurity industry, notably as the CEO and founder of Dragos, a leading cybersecurity company. Robert serves on the Department of Energy’s Electricity Advisory Committee as the Vice Chair of the Department of Energy’s Grid Resilience for National Security Subcommittee, and is a member of the World Economic Forum’s subcommittees on Cyber Resilience for the Oil & Gas and Electricity communities. With a background in the United States Air Force, where he performed cyber threat intelligence activities, Lee has contributed significantly to the field. He is recognized for his expertise in ICS security, threat intelligence, and incident response. Lee is also an accomplished author, sharing his insights through publications and presentations at major cybersecurity conferences. His work at Dragos reflects a commitment to securing critical infrastructure against evolving cyber threats.
Share This